Barcodes on airline boarding passes can be read by readily available barcode readers and contain information used to determine which security protocols a traveler will be subject to, security researchers have discovered.
The worry is that travelers, who can print boarding passes at home up to 24 hours before their flight, could alter the barcodes to determine whether they are subjected to a conventional security check or to the less stringent, expedited-security Pre-Check procedure. That's information that could potentially give an advantage to a would-be terrorist.
Chit-chat about the security flaw has been happening in online forums since July, the Washington Post reported, but the issue only gained serious attention last week when aviation blogger John Butler said he'd discovered that the information stored on the barcode was unencrypted.
"I'm publishing this because I am seriously concerned with boarding-pass security in the United States," Butler wrote after decoding his own boarding pass with a tool available on the Web.
The Transportation Security Administration responded to a request for comment from TechNewsDaily with a boilerplate email detailing which airlines and types of passenger qualify for the Pre-Check program.
Butler published the decoded information and pointed to a digit — either a 1 or a 3 — that he said indicated whether he would be expedited or sent through conventional security.
Not only could an individual use this knowledge of the barcode to cause harm, Butler warned, but he could also change it.
Anyone can "use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode," Butler warned. "Finally, using a commercial photo-editing program or any program that can edit graphics, replace the barcode in their boarding pass with the new one they created."
Publicly available information corroborates Butler's claim, the Washington Post reported.
Sen. Charles Schumer (D-N.Y.), who has been a vocal critic of the TSA's airport-screening measures, said this latest revelation was another cause for concern.
"This has the potential to be a gaping flaw in the system that would be all too easy to exploit," he told the Post. "At the very least, if someone is flagged for a random screening, that information should be encrypted."
Follow Ben on Twitter.